Nat Pass and PF Default Rule
N. Ersen SISECI
siseci at gmail.com
Fri Nov 16 05:48:24 PST 2007
Hi,
I changed PF's default rule in kernel (pf_ioctl.h). And than i restarted
my server.
After that server started successfully and then internal network (behind
the NAT) wasn't access the external network.
Rules:
pass in log quick all
pass out log quick all
Nat rule is:
nat pass on em0 inet all -> 192.168.1.1
I changed filtering and NAT rules like these. But it's not working.
And then i added log line for default rule in pf_ioctl.h
pf_default_rule.log = PF_LOG;
And then i see the blocking logs on pflog0 with the same rule set.
2007-11-16 15:03:19.291742 rule 4294967295/0(match): block out on em0:
.... ICMP ... 192.168.1.1 > 192.168.1.36: ICMP echo request
So, I removed the pass option in the nat rule and suddenly started to
working.
>From the Man page of pf.conf:
Packets that match a translation rule are only
automatically passed if the /pass/ modifier is given, otherwise they are
still subject to /block/ and /pass/ rules.
But, i think it's not working as desribed above.
Nat's pass option depends the PF's default rule in the kernel.
Is there anything i missed or wrong?
Thanks.
N. Ersen SISECI
http://www.enderunix.org
EnderUNIX SDT @ Turkey
More information about the freebsd-pf
mailing list